OpenDirectory VLAN Assignment by Group

Theparanoidone Theparanoidone theparanoidone at yahoo.com
Tue Aug 21 21:28:16 CEST 2012


Hi Phil~

>>> You are aware how "Group-Name" works, and which groups it is referring to, right? Specifically, it is not a real attribute, and doesn't exist in a concrete form. Rather, when you perform a comparison, a real-time search is done against the relevant database using the value on the right-hand side.  Group-Name queries the POSIX "getgrnam" APIs, which are normally backed by /etc/group, but can be supplemented/replaced by nsswitch.


Thank you, this is helpful information.  Since the groups we are testing are not actual unix groups but openldap/OpenDirectory groups... I'm assuming there must have been some nsswitch configurations on the old server that helped with this.   Apple appears to use the directory service utils to handle this as there is no nsswitch.conf.  I'm currently looking into nsswitch equivlants for apple  (things like dscl localhost -read /Search) 


>>> Assuming you have it installed, what does:
python -c '\
import grp;\
print "testuser" in grp.getgrnam("testgroup").gr_mem'
...say? This fragment uses the same APIs as "Group-Name".If this says "True" then you've mis-configured FreeRADIUS somehow. If it says "False", then the user isn't in the group as reported by those APIs, and you'll need to query your group database another way. It might be the latter - maybe your new OS X machine isn't pulling Unix group from OpenDirectory, but the old one was?


Thank you for that test code, that is extremely helpful.  

The output on the NEW server returns:  "False"
The output on the OLD server returns:  "True"


From the behavior observed, plus the information you provided above... I agree that it looks like I will have to pull this information in another way.  I just missed your email late last night... in my prior reply I have a working prototype that queries opendirectory for the user authentication  ... and queries the group via openldap (via opendirectory).   It appears to be working; I plan to test it more today.



>>> Usually, using "Group-Name" is a bad choice; if there is a backend database (LDAP, SQL, text files) you are better off querying it directly, rather than interposing the get*nam APIs.

Thank you for this... I did not know that Group-Name is not always the best choice.  I seem to be missing an obvious piece of documentation... but neither   http://freeradius.org/rfc/attributes.html   or   http://freeradius.org/radiusd/man/users.html  or  http://freeradius.org/radiusd/man/rlm_unix.html   mention anything about Group-Name.   Can you point me towards a document describing this?   (tried searching, I must be missing it)

Thanks again.


More information about the Freeradius-Users mailing list